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s.17 
Wong.Mark 
From: Hum.Simon 
Sent: June 6, 2018 10:09 AM 
To: 
Cc: Jacobs.Oscar; Seguin.Nicole; Trottier.Sarah 
Subject: RE: PIA for GCMS data pulls 
Follow Up Flag: Follow up 
Flag Status: Flagged 
Hl: - Sorry | meant to provide you my opinion in writing immediately after that meeting but got pulled away, 


then it fell off my radar. Thanks for the prompt and my apologies for the tardiness on my follow up. As per our 
discussion in April with regard to this tool, ATIP does not have any privacy concerns and as such, a PIA is not required for 
this activity. 

Best Regards, 

oimon Hum 

NHQ - Corporate Affairs | AC - Affaires corporatives 

Immigration, Refugees and Citizenship Canada | Immigration, Réfugiés et Citoyenneté Canada 

360 Laurier Avenue West Ottawa ON K1A 1L1 | 360 avenue Laurier Ouest Ottawa ON K1A 1L1 

Office | Bureau NAR A1012 

oimon.Hum(Dcic.d 
Telephone | Téléphone 613-437-5910 

Government of Canada | Gouvernement du Canada 


From: 

Sent: June 6, 2018 8:39 AM 

To: Hum.Simon 

Cc: Jacobs.Oscar ; Seguin.Nicole ; Trottier.Sarah 

Subject: RE: PIA for GCMS data pulls 

HiSymon, 

From our meeting in late April, you advised that we would not need a PIA for our Chinook tool. 

However, | still do not have your answer in writing. Can you please respond to this message so we can keep a copy for 
our records? 

Thanks 


From: 
Sent: April 26, 2018 3:19 PM 
To: Hum.Simon «5imon.Humi g 
Cc: Jacobs.Oscar <OscarJacoos@cic.gc.ca>; Seguin.Nicole <Nicole. Sesuin@cic.ec.ca>; Trottier.Sarah 
<Saran.lrottier@cic.e 
Subject: PIA for GCMS data pulls 
Hi Symon, 
Nice to meet you yesterday. 
Below is a summary for you to give your official answer regarding our meeting to inquire whether ATIP thought we 
needed a PIA for the data extraction we are doing to populate our processing tool. 
Any questions or additional clarifications, just let me know. 

e The data requested from 

e The tool, and the data in the tool, will be used across IN, CN, and DN to assist officers in making decisions on 

temporary Resident cases. 
e Using the tool has proven quicker than reviewing eDocs in GCMS. 
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e The data will be exported ı and populated in the tool. 


e The data is not directly related to decision-making and this information is available today through existing 
processes in the system using 
e We are not asking for anything that is not already currently being used in the field. — s46(2)(c) 


e What is being built is a more coherent report only. s.17 
Thanks, s.21(1)(a) 
s.21(1)(b) 


From: Hum.Simon 

Sent: April 24, 2018 3:10 PM 

To: ME | 

Subject: RE: PIA process? 

Do you have any background material that you can share in advance of the meeting? 
Symon Hum 

Senior Privacy Advisor, Corporate Affairs 

immigration, Refugees and Citizenship Canada / Government of Canada 

Simon.Hum @cic.gc.ca / Tel: 613-437-5910 

L'Unité de la protection des renseignments personnels, des politiques et de la gouverance, Affaires corporatives 
immigration, Réfugiés et Citoyenneté Canada / Gouvernement du Canada 

Simon. Hum cic. / Tél.: 613-437-5910 


oue. s 
à CRE à 
POSER DENT gai eee, Pee Pe 
BER RPP E tuetut EP LL BA RE PELE Xs 


From: ! 

Sent: April 24, 2018 3:05 PM 
To: Hum.Simon <Simen. sume 
Subject: RE: PIA process? 

Yep, that’s it. 


From: Hum.Simon 

Sent: April 24, 2018 2:56 PM 
To: 

Subject: RE: PIA process? 

| accepted a meeting regarding something about the Chinook tool ~ is that the one? 

Symon Hum 

Senior Privacy Advisor, Corporate Affairs 

immigration, Refugees and Citizenship Canada / Government of Canada 

Simon.Hum @cic.ec.ca / Tel: 613-437-5910 

L'Unité de la protection des renseignments personnels, des politiques et de la gouverance, Affaires corporatives 
immigration, Réfugiés et Citoyenneté Canada / Gouvernement du Canada 

Simon. Hum @cic.ec.ca / Tél.: 613-437-5910 


From: 

Sent: April 24, 2018 2:39 PM 

To: Hum.Simon <Simon. une 

Subject: RE: PIA process? 

Hi Simon, you should have received an invite for tomorrow afternoon to discuss along with SIMB. 
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To note that the data taken from 

to assist officers in making decisions on files quicker than reviewing eDocs in GCMS. The 
data is not related to decision-making directly and this information is available today through existing processes in the 
system. What is being built is a more coherent report. 


Thanks 
s.17 
s.21(1)(a) 
From: Hum.Simon 
Sent: April 23, 2018 10:09 AM eM 
To: | 
Subject: FW: PIA process? 
Good Morning - perhaps we can meet to discuss this project, as | will need more details in order to advise you 
accordingly. Feel free to send me a meeting invite at your convenience. 
Symon Hum 


Senior Privacy Advisor, Corporate Affairs 

"iae ie Refugees and Citizenship Canada / Government of Canada 
Simon.Hum @cic.gc.ca / Tel: 613-437-5910 

E Te té T la protect on des renseignments personnels, des politiques et de la gouverance, Affaires corporatives 
immigration, Réfugiés et Citoyenneté Canada / Gouvernement du Canada 


ic.gc.ca / Tél.: 613 e ooo, 


From: Pitter. Tiffany 
Sent: April 23, 2018 8:55 AM 


To: Hum.Simon «Simon.Hum i cic.gc.ca»; Dunn.Amy <Amy.Dunn@cic.ec.ca>; Parent.Stefany 
<Stefany.Parent@cic.ec.ca>; Norwick.Adam <Acam.Norwick@cic.sc.ca>; McColl.Donald <Denaid. McColl @cic.ec.ca> 


Cc: Dunn.Michelle «Miicheile.Dunn& ci 

Subject: FW: PIA process? 

Good morning, 

Please find below a question from IN in respect to the PIA process. 
Thanks, 

Tiffany Pitter 

Privacy, Policy and Governance Unit 

Access to Information and Privacy Division 

NHQ - Corporate Affairs 

Immigration, Refugees and Citizenship Canada 

360 Laurier Avenue West Ottawa ON K1A 1L1 

tiffany .pitter@cic.gc.ca 
a 613- 437- 5611 

Government of Canada 

L'unité de la protection des renseignements personnels, des politiques et de la gouvernance 
Division de l'acces à l'information et protection des renseignements personnels 

AC - Affaires corporatives 

Immigration, Réfugiés et Citoyenneté Canada 

360 avenue Laurier Ouest Ottawa ON K1A 1L1 


MIS ace 613- 437- 5611 
Gouvernement du Canada 


From: Bright.Lindsay 
Sent: April 22, 2018 8:34 PM 
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Cc: Pitter. Tiffany <Ti y Dale: s.21(1)(a) 
Subject: FW: PIA process? s.21(1)(b) 
Good evening PPG, 

Over to you 

Thanks, 

Lindsay 


From: | 

Sent: April 20, 2018 10:18 AM 

To: ATIP / AIPRP (IRCC) «IRCC.ATIP-AIPRP IRCC@cic.ec.ca> 

Cc: Gallant.Stephanie <Stepnanie.Gallant@cic.gc.ca>; Jacobs.Oscar <Oscar.Jacobs@cic.gc.ca> 
Subject: PIA process? 

Hi ATIP team, 

IN is currently working on a processing tool that involves some! 


| understand that OPP's Advanced Analytics team also did a PIA recently and they advised me the first step was to go 
through ATIP. 

Do you know of the process to follow for a PIA? 

Thanks, 


| 

Senior Analyst | Analyste principal 

Strategic Planning and Delivery | Planification stratégique et exécution 

International Network | Réseau international 

Immigration, Refugees and Citizenship Canada | Immigration, Réfugiés et Citoyenneté Canada 
Government of Canada | Gouvernement du Canada 
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Accountability 


Accountability | 


Accountability | 


Identifying 
Purpose 


Accountability 


| Risk Description 


There isa 

! inModule3's | — 

Section is inaccurate, ineffective and 
unnecessary in the processing of TR 
applications. 


There is a risk that Chinook is not a 
temporary tool and that it will be a 
long-term solution to assist in the 
processing of TR applications. 
Moreover, it could be expanded to 
process other IRCC applications. 


There is a risk that Chinook 
continues to operate without a 
formal governance structure which 
could negatively impact necessary 
privacy protections. 


Chinook PRA Action Plan 6/30/20 


À Collection 


Limiting Use, 


Limiting 


Retention 
| Recommendation 


Recommended that IRCC validate 
the necessity and effectiveness of 
the 7 such that it 
supports the continued presentation 
of the in Module 3. 


It is recommended that IRCC 
consider this risk and ensure 
contingency plans are in place to 
ensure proper privacy protections 
are in place if Chinook becomes a 
long-term solution or is expanded to 
other application types. 


Recommended that IRCC develop a 
formal governance structure to 
support the development, 
management, and necessary privacy 
protections related to Chinook in five 
areas: general approval authority, 


procedures, training, and awareness 


Disclosure, and 


Immigration, Refugees Immigration, Réfugiés 


L'information divulguée en vertu de la loi sur l'accés à l'information 


Chinook Privacy Risk Analysis Action Plan =° 


Individual 
Access 


Mitigation 


We are removing the 
that include the 
from Module 3. 


Change scheduled for release in July 
2020. 


Chinook 2.0 is a funded IRCC project 
with Projects Branch leading . 
Privacy protections and IT Security 
will be up to IRCC standards for the 
enterprise solution. 

We are not expanding Chinook 1.0 to 
other applications types. 


There is a draft governance structure 
in place for Chinook 1.0 


IN is working with IRM on 
governance for the Module 5 

o Latest meeting June 
29, 2020. 
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Chinook Privacy Risk Analysis Action Plan ~ 


Limiting Use, 
Disclosure, and 
Retention 


Individual 
Access 


. Limiting 
, Collection 


Identifying 


Accountability NS = : Purpose 


Mitigation 


| Recommendation 


| Risk Description 


There is a risk that Chinook's use of | e It is recommended that IRCC | | in module 3 is being 
Module 5 and the - determine if the use of Module 3 removed from Chinook. 
of Module 3 is inconsistent and Module 5 : | 
with TBS's Directive on Automated | | IN and CN have reviewed the TBS 
Decision Making. - utilize analytics in a manner | directive on Automated Decision 
| wherein the TBS Directive on - Making and agree that it does not 
Automated Decision Making applies. Pa. apply. 


Accountability | 


GCMS Change Request #514354 
approved and awaiting for 
implementation. 


There is a risk that are 
being processed in absence of proper 
notice to the applicant that prior 
is used for “and 
purposes and that such 
the processing 
of the individual's application. 


Recommended that IRCC modify 
the Privacy Notice Statement (PNS) 
on Form IMM 1295 (paper and e- 
application) such that it contains 
the same paragraph which is found 
in the PNS on the TRV and SP 
application forms. 


Purpose 


It was submitted September 26, 
2019 and is pending TDSS 
implementation. 


Identifying : 


There is a risk that access tothe GC |. Recommended that IRCC restrict || Since January 2020, Chinook ~ 

Docs folder where IT Operations staff | | access to the EDW extracts to the | were moved to a 

upload daily Enterprise Data | | least number of staff as possible. : - 

Warehouse (EDW) extracts allows | - Furthermore, it is recommended 0 The access is granted 


Limiting | 
Collection 


more access than is | | that once EDW data is extracted and | - by EDW after receiving a list of 
necessary/justified. i stored in the folder for consumption : - names from IN Chinook team. 
si by IN offices, the data files cannot be mL The list of access names will be 
modified. LT reviewed bi-annually. 
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Limiting Use, | 
Disclosure, and 


Limiting Use, | 


Disclosure, and 


Limiting Use, | 
Disclosure, and 


Retention Retention 


Retention 


Identifying 
Purpose 


Accountability 


| Risk Description 


There is a risk that Chinook is a 
System of Record (SOR) and the daily 
purging of data files is inconsistent 
with the retention practices of TR 
application data. 


There is a risk that Chinook Experts, 
who are responsible for purging EDW 
extracts on a daily basis, are not 
doing so. 


There is a risk that there are multiple 
copies of Chinook being stored by 
Officers/Managers in email accounts 
and local drives. 


Chinook PRA Action Plan 6/30/20 


À Collection 


Chinook Privacy Risk Analysis Action Plan 


Limiting Use, 


Limiting 


Retention 


| Recommendation 


Recommended that IRCC consult 
with the Department's Information 
Management (IM) SMEs to 
determine if Chinook is transitory 
information or if it is a SOR. 


Notwithstanding the outcome of 
Risk 47, it is recommended that 
IN's awareness material remind 
Chinook Experts that their 


should contain only one version of a 


each EDW data extract. 


It is recommended that Chinook 
procedures and awareness are 
issued to staff regarding the 
creation, retention, and destruction 
of Chinook versions. 


Disclosure, and 


Immigration, Refugees Immigration, Réfugiés 
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s.16(2)(c) 


Individual 
Access 


Mitigation 


IN met with Info Management on 
June 22, 2020. Their email of June 26 
indicated the consensus at that time 
was that the Mod 3 worksheets are 
transitory. 


A message to replace the EDW 
extracts each day has been shared 
with Area Experts. 

This will be included in User Manuals 
as well. 


A message to delete Excel 
spreadsheets has been shard with 
Area Experts on monthly 
teleconferences. This will also 
include be included in the Module 
3+4 User Manual currently in 
development by CN. Mod 3 
disclaimer now reminds officers to 
delete spreadsheets on a daily basis 
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Chinook Privacy Risk Analysis Action Plan . 


Limiting Use, 
Disclosure, and 
Retention 


Identifying 


1 Limiting 
b Purpose 


1 Individual 
&& Collection 


Access 


Accountability Safeguarding 


| Risk Description 


Recommendation 


Mitigation 


There is a risk that Module 5 E It is recommended that IN interface a IN has received guidance from 
- with the IRCC DSO and determine | | Admissibility Branch and IPG Branch 
in accordance with Protected/ ND | | EB on the classification of information 
Classified information requirements — | : the appropriate information security a received from The 
of IRCC and the Government of | 0 designation for the Module 5 | 0 classification is the responsibility of 
Canada. | determined to be Secret, IRCC would. the receiving RAO. IN has instructed 

> a have to | a RAOs that information submitted to 

of the Module 5 > Chinook must have a maximum 
WE designation of Protected B. 


Les 


There is a risk that Chinook | | Recommended the following portion | | We are removing the 
information will not be released to a of the Module 3 disclaimer is | i from Module 3 therefore, 


an indivicua or cue to the reviewed and approved by ATIP: - - the disclaimer is not required. 


been reviewed/approved by IRCC | | We are replacing it with info to 
ATIP. E E reinforce etc. 


Due July 2020. 


Individual 


Note that there were no risks identified with the following principles: Consent, Openness, and Compliance. 
No risks were identified regarding Accuracy that have not already been identified in another risk; for example, see Risk #1. 


For more detail, please see: http//gcdocs2.c.ec.ca/otcs/cs.exe?tunczli&obiactionzoverview&obiid-z242026475 


PROBABILITY x IMPACT = RISK 


High 
Élevée 


T PROBABILITÉ x INCIDENCE - NIVEAU D 

z = High risk: May require Minister or Deputy Minister involvement 
2 Be 4d = = Risque élevé : Peut exiger l'intervention du ministre ou du Sous- 
is x un Ministre 

coU c mm | 

ak "s 3 M = Medium risk: May require involvement at Assistant Deputy 

E E finister (ADM) level 

be # = Risque modéré : Peut exiger l'intervention au niveau de Sous- 
a " linistre Adjoint (SMA) 

2 Es 

x ep OS z Low risk: Managed by routine procedures, or may require 


nvolvement of Director General (DG 


= Risque faible : Risque géré dans fe cadre des procedures 
Unlikely Possible Likely sueles, ou peut exiger l'intervention du Directeur/Directrice Générale 
| ig DGj 
improbable Probable 
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1. OVERVIEW 


This Privacy Risk Assessment (PRA) has been developed to assess the privacy risks associated with the 
use of Chinook; a tool assisting IRCC staff in the processing of temporary residence (TR)! visa 
applications and actioning decisions in the Global Case Management System (GCMS). 


Section 6.3.1 of Treasury Board Secretariat's (TBS's) Directive on Privacy Impact Assessment, in part, 
requires a Privacy Impact Assessment (PIA) to be authored and submitted to the Office of the Privacy 
Commissioner (OPC) when a program or activity involving personal information undergoes 'substantial 
modification.’ In consultation with IRCC's Access to Information and Privacy (ATIP) Division, IRCC has 
determined that the use of Chinook to support the processing of TR applications is not a substantial 
modification to the existing TR application processing and, therefore, a PIA is not required. However, 
IRCC desires a PRA on Chinook and staff's use of the tool to ensure appropriate safeguards are in place. 


This document is not a PIA nor is it intended to be submitted for review and recommendation to the 
Office of the Privacy Commissioner (OPC). It is intended for internal consideration only and written in 
accordance with the scope section of this report; see Section 1.4. 


1.1 Description and Development of Chinook 


Over the last approximately five (5) years, IRCC has been experiencing significant increases in the 
volume of TR applications. In parallel, overseas offices have been experience processing and 
connectivity issues with GCMS. First, for some offices, the Canadian mission's connection to GCMS (via 
Citrix) is slow or unavailable, or GCMS is otherwise not responding quickly. Second, updates to GCMS 
are performed by National Headquarters (NHQ) during business hours of some overseas offices. While 
not a daily occurrence, when GCMS maintenance is performed it removes an office's ability to process 
any applications for several hours. Regardless of what time NHQ decides to perform maintenance, 
multiple overseas offices are impacted. Third, the manner in which data is searched for and presented 
to users in GCMS can be time consuming — the data required for consideration in approving or refusing a 
TR application is not always presented in GCMS in an efficient and effective manner. 


Considering the pressure IRCC has in processing TR applications, some overseas offices have developed 
workarounds for these issues. For example, Smartbook was a MS Excel solution developed in 

collaboration between offices in Abu Dhabi, Ankara, and London. Hiraya, a similar tool, was developed 
by the IRCC office in Manilla. Both tools utilized | to populate 
MS Excel spreadsheets to assist officers in considering details of an application and reaching a decision. 


Once decisions were 
to enable offices to close off/action applications more efficiently. It typically 


entailed a manual process of ı 


! For the purposes of this PRA, a TR application is considered an application to visit Canada, as well as permits to 
study or work. 
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Smartbook and Hiraya represent the most sophisticated tools developed by overseas offices to assist in 
processing TR applications. Smartbook was used in London, Ankara, Abu Dhabi, and several other 
Offices for approximately one-year spanning 2017 and 2018. Hiraya was used in Manila and several 
surrounding offices in Southeast Asia for less than 12 months in 2017. | 

but it has 
not been verified from all users of Smartbook and Hiraya. 


Other offices are known to have used far less advanced solutions which followed the same model — 
assess applications outside of GCMS faster and subsequently access GCMS to record the TR decision. 


With multiple, and sometimes similar, processing tools being developed across the networks, subject 
matter experts (SMEs) from the International Network (IN), Centralized Network (CN), and Domestic 
Network (DN) met in January 2018 and again in May 2018 to plan/design a global processing tool that 
could be used across all networks for TR applications. The aim of the meetings was to consolidate and 
hone existing concepts and to create a universal tool that uses GCMS data and presents it in a way that 
allows the user to select multiple cases outside GCMS for bulk processing while realizing considerable 
processing efficiency gain. Buy-in for the project was secured from Solutions and Information 
Management Branch (SIMB), Operations Planning and Performance (OPP), and Immigration Program 
Guidance (IPG). In preparation for the January 2018 SME meeting in London, the following 'Guiding 
Principles’ were developed to ensure bias was not the driver for tool choice, thereby ensuring the best 
solution was selected. 


Provide ease of use for users, including an intuitive interface; 


DS 


Rely on repairable technology (i.e.: low tech so that no specialized technical knowledge is 
required if repairs and adjustments are needed); 
Applicable to e-applications and paper applications; 


Can be universally applied (for use by IN, CN, an DN); 

Incorporate ^ ^|  . factors in a statistically significant way; 

Are scalable for use in large or small offices with a range of diverse or homogenous caseloads; 
Compatible with other external data/toolsets (i.e. 12); and 


OS Sg E dien 


Increase the quantity and quality of TR decision-making across the networks in a consistent 
manner. 


Ultimately, the result of these meetings was the development of a tool called Chinook. While different, 
it is most aligned with Development of Chinook was organized into modules with 
each module adding a different layer of functionality to the tool. Initially, the modules were prioritized 
and modules 1 (File Management), 3 (Decision-Maker) and 4 (Post Decision) were planned and 
developed in 2018. The coding, testing and deployment of the remaining modules have either been 
completed or are planned for deployment in fiscal year (FY) 2019-20. Section 2.4 of this PRA provides a 
more detailed description of the deployment schedule and users for all : modules. 
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1.2 Project Peacock 


In December 2018, Project Peacock mandated the use of Chinook at the Delhi Office by a team of 20 
experienced Visa Officers. The intent of the project was to process all pending VAC TR applications in 
the Delhi inventory. Over the course of four weeks, Chinook was used in the following manner: 


e  Decisions-makers reviewed application details in Module 3 and used Module 4 to generate 
refusal notes and refusal grounds. 


e Decision makers recorded final decisions in GCMS but did not enter notes, grounds for refusal, 
or generate letters in GCMS. 

e The Chinook Action Lists from Module 4 (for refusals) were compiled into a master spreadsheet 
and sent to CN/Operations Support Centre (OSC) on daily basis. 

e |n GCMS, CN/OSC copies and pastes the refusal notes, generated refusal grounds, and 
generated the refusal letters in the appropriate print queue 


By having CN perform the GCMS activities, the Peacock team of officers were able to process 17% more 
decisions during their temporary duty assignment. Over the course of the four weeks, the team of 20 
officers, with OSC's support, completed approximately 42,000 TR applications. 


1.3 Future of Chinook 


The current plan for Chinook is to finalize the development and deployment of all Chinook modules to 
all regions of IN and CN. In parallel to Chinook deployment, IT Operations (a branch within 
Transformation and Digital Solutions Sector — TDSS) is tasked with developing GCMS functionality which 
provides the features of Chinook or building the Chinook functionality in an IT Operations maintained 
and supported tool with an ultimate goal of decommissioning Chinook within five years. 


1.4 Scope of this PRA 


The scope of this PRA is to assess the privacy risks associated with Chinook (modules 1 to 6), as well as 
the uses of the tool. As such, this PRA scope includes a description and analysis of the following: 


. Data stored in Chinook, including the origin of that data 
2. GCMS data extracts performed by EDW staff to support the use of Chinook by IRCC regions 
3. Identification of any new data in Chinook 
a. Specific focus on Module3's . | section 
b. Specific focus on Module 5 and the presentation of Module 5 in Module 3 
User roles/access to Chinook 
5. Safeguarding, retention and disposal of Chinook data extracts and decisions recorded in Chinook 


Conversely, the following is out of scope for this PRA: 


1. Adetailed description and analysis of the TR application process. 
2. Safeguards, user roles, and accessibility of information in GCMS and the EDW 
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3. Integrity/Investigative activities of IRCC regarding TR applications, including any immigration 
enforcement activities. 

4. Chinook Toolbox: this module provides users with tools which does not utilize any of the EDW 
data extracts from GCMS. It provides links to the /mmigration and Refugee Protection Act 
(IRPA), the Criminal Code of Canada, currency converter, and other similar tools. No personal 
information is stored/used in the Toolbox, therefore, no privacy analysis is required. 
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2. CHINOOK ADMINISTRATION 


This section provides an overview of various administrative functions related to Chinook, including 
governance, user roles, training, and GCMS data extracts. 


2.1 Roles and Responsibilities 


The following groups/divisions within IRCC have responsibilities in the development, maintenance, and 
use of Chinook. 


1. IN: SMEs on the processing of TR applications in GCMS. Every office in the IN maintains a 
Chinook Expert, who are the SMEs on Chinook for that office/region. The Chinook Experts, or 
their designees, are responsible for downloading EDW data extracts daily, provide training and 
leadership on the use of Chinook, and act as a liaison to IN NHQ regarding Chinook. 


IN at NHQ also maintains several key resources in the maintenance and training of Chinook. 
Furthermore, the Risk Assessment Officer Coordinator (RAOC), who approves all Module 5 
and Module 5’s is part of IN NHQ. 


2. CN: isresponsible for the IT development of Chinook. 


3. DN: the DN is less involved in the use of Chinook, as well as the development of the tool. DN 
does not process TR applications so, at this time, there is one DN Chinook Expert who is the DN 
liaison to the Chinook project; however, there are no DN Chinook users. 


4. Transformation and Digital Solutions Sector (TDSS)/Information Technology (IT) Operations: IT 


Operations maintains a dedicated team to the department's Enterprise Data Warehouse (EDW). 
Daily, one person is responsible for extracting the data files necessary for Chinook to be used 
across the globe. Also, TDSS is responsible for integration of Chinook into GCMS. 


5. Integrity Risk Management (IRM): provides IN with assistance on the development of a Module 
5 governance structure. 


2.2 Governance 


In the formulation of Chinook, there was no formal governance structure regarding approvals and 
decisions. As reflected throughout this PRA, some decisions and parts of Chinook were approved 
informally. Additionally, certain aspects of Chinook are migrating to a more established governance 
framework with robust procedures to reflect approvals and activities. 


2.3 Chinook Training 


IRCC has established a list of Chinook Experts within the NHQ area of Ottawa as well as throughout the 
IN. Those persons who have been identified as Chinook Experts are expected to receive training on 
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s.16(2)(c) 


those modules which have not been released and pass on that training to staff within their office. 
Moreover, they are the first point of contact within their region related to reports and troubleshooting 
of any Chinook-related issues. 


When an office deploys Chinook and new modules of the tool, the following training sessions are 
delivered by Chinook Experts in NHQ or in the local office by Chinook Experts: 


Familiarization 

Engagement 

Functional training 

Distribution of SOPs and User Guides 
Virtual implementation 

Pre-launch set up and adjustments 


PU UO ducas AE 


Go Live 
Additionally, there is support after Go-Live as well as troubleshooting and resolution provided by NHQ. 


To date, there have been approximately 15 Chinook training sessions provided by Chinook experts in 
various offices within the IN. 


2.4 Current Users (July 2019) 


The following provides a summary of Chinook users; currently as well as planned. 


Table 1: Chinook Users 


Module Number and Name Description of Users and Plan 


Module 1: File Management Approximately 1/3 of 53 TR processing offices (including CPC-O) use this 
module. 


Module 2: Pre-Assessment No users as of July 2019; deployment schedule is to go live with this 
module in the Fall 2019 


Module 3: Decision-Maker and Except the U.S. Network, all 53 TR processing offices and the CPC-O use 


Module 4: Post Decision these two modules. Note these two modules are used in conjunction with 
each other. Module 3 brings the application data, and 
Module 5 into one MS Excel spreadsheet, while Module 4 supports 


the decision and recording of those decisions in GCMS. 
Module 5: Available for all offices (including the U.S. Network) to request 


to be populated into Module 3. 


Toolbox No data extract from the EDW; just a group of useful tools like IRPA 


Out of Scope for this PRA language, and currency converter, as well as others. All users have access 
to this module. 


Protected A 12 | dlc 
A4144594 12-000020 


Immigration, Refugees Immigration, Réfugiés 
fi + il and Citizenship Canada et Citoyenneté Canada 
Information disclosed under the Access to Information Act 
L'information divulguée en vertu de la loi sur l'acces à l'information 


Chinook PRA; Version 3.0; August 22, 2019 


The U.S. Network does not use Chinook due to their caseload which require more officer involvement 5.16(2)(c) 
and analysis, including a higher percentage of specialization TR applications including diplomatic and 

official visits, rehabilitation applications, permanent resident determinations, temporary resident 

permits and authorities to return to Canada. However, as stated in the above table, they can create 


Module 5 indicators which can be used within Chinook by all offices. 


IRCC would like to see each office use all modules but the decision to use all modules is a decision left 
at the discretion of each office. The current timelines for deployment across the IN varies from one 
office to another. 


2.5 Chinook Data Files/Data Extracts by EDW Staff 


Daily (including weekends), data extracts are obtained from the Enterprise Data Warehouse (EDW) 
which contains a copy of GCMS. The extract queries are performed at approximately 9:00 a.m. EST but 
may be later based on the updates from transactional databases to the EDW. An assigned staff person 
performs multiple queries of the EDW and saves those files to a dedicated area of GC Docs; specifically, 
the TR > Report > Chinook folder. 


The extracts performed are: 


1. Extract for Module 1 (daily): an extract of all open TR applications with the data/fields listed in 


Table 2 below. 

2. Extract for Module 3 (daily): an extract of open TR applications with the data/fields listed in 
Table 3 below. 

3. Extract for Module 3 (daily): an extract for the section of 


Module 3 with the data/fields listed in Table 4 below. This data is used to assess up to ` 
|» A on open applications with past applications with the same 
| . While this data is 
extracted daily and made available to staff in the above referenced GC Docs folder, Chinook 
experts do not update the data files daily; most, if not all offices, update their data files monthly. 
4. Extract for Module 4 (daily): an extract of refusal letters not sent to the applicant. As of July 
2019, this daily extract is queried from the EDW and stored in the above referenced GC Docs 
folder; however, use of this data set is current under User Acceptance Testing (UAT) in the 
Ankara office. Outside of Ankara, no one is currently using this EDW extract. Plans are for the 
extract to be used sometime in Fall/Winter 2019 (dependent on development resources). 
5 - er ee ee HORE Mon OMAHA rem 


The data extracted for Module 6 is listed in Table 5. 


All queries are performed and then structured via region such that each region obtains, for example, 
Module 1 data specific to their region. 


NN: 
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When a new extract is stored in the TR » Reports » Chinook folder, the EDW staff person writes over the 
previous day's file. However, GCDocs maintains a version history of all files; therefore, on a monthly 
basis, the EDW staff person purges all prior versions except for the prior seven days. At any given time, 
the GC Docs folder may have the existing version of the above five extracts and the prior 7-30 calendar 
days of data extracts. 


All regions are aware of the timelines for these data pulls and each office functions on data that is at 
least 24 hours old. 


The following tables provides a high-level description of the five EDW data extracts. 


Table 2: Module 1 Data Extracts from EDW/GCMS 


Received Date 


Application Number 


Language 

Primary Office 

Assigned To 

Category 

Subcategory Requested Item 
Counterfoil Category Biometric Information Outgoing Correspondence 
Channel Document Issuance 
Fees Status Active Group Event 

Application Status DURS mE 

Citizenship 

Citizenship Country Code 

Country of Residence (CoR) IME Status 

CoR Country Code Medical Activity Update Date 


Table 3: Module 3 Data Extracts from EDW/GCMS 
Data Element/Field Description/List of Values (LOV) 


Client UCI The extracts from the EDW filters for primary applicant (PA) Client UCIs on all 
open TR files (TRV, SP, WP), where the Final Decision is NULL 


Group Type and Group Name Type of group and name given to the group 
Application Assigned To GCMS user ID assigned to process the application 
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Eligibility Outcome of eligibility assessment; Passed, Failed, Review Required, Recommend 
Passed 


Status of the applicant having biometrics collected; e.g. ‘Complete’ 


Client Information Name 

Citizenship 

CoR 

Gender 

Marital Status 

Age 

DOB 

Country of Birth (COB) 

Client Place of Birth (POB) 

Email Address (on application) 
Spouse Information Name 

Marital Status 

Marital Start Date 


Designated Learning Institution Name of school (for SPs) 
Application Purpose of Visit Purpose of visit; tourism, visit family, etc. 
Visit Start and End Dates Start and End Dates 


Pre-Assessment Note O 


Study Permit Data Level of Study 
Field of Study 
Tuition 


Expenses Paid 

Work Permit Data WP Exemption Code 
Labour Market Impact Assessment (LMIA)/LMIA Exempt # 
NOC (See Note 1) 
NOC Description 
Salary 
Intended Occupation 
Employer 

Travel Document Information Travel Document Type 
TD Document Number 
TD Expiry Date 
TD Issuing Country 
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Past Application Details 


Note 1: National Occupational Classification provides a standardized language for describing the work performed 
by Canadians in the labour market. 


Table 4: Module 3 


2.6 Chinook User Roles 


Once an IRCC office is granted access, all immigration personnel have access to Chinook. The only 
restrictions are as follows: 


e Chinook Expert/Administrator: For Modules 1 and 2, an Administrator role is assigned to the 
Chinook Expert (a Chinook SME in each office). That Administrator can add other staff to the 
position of Administrator, which allows the user to set permissions and rules in Module 1 and 
amend their office template in Module 2. 


e Risk Assessment Officer Coordinator (RAOC): In Module 5, only the RAOC has access to create 


Module 5 ' As of July 2019, only one person has been designated as the RAOC user for 
Module 5. 
e 
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2.7 Access to Chinook Data Files/Permissions in GC Docs 


Chinook data files are maintained by IRCC in two folders. This section details the information stored in 
these two folders and the assigned permissions as of July 2019. First, the Chinook tool itself is stored in 
a GC Docs Folder via the following path: 


Chinook Cross Network TR Processing Suite » Chinook 


Second, the data files extracted by the EDW staff, which are stored in the TR » Reports » Chinook folder 
are access by Chinook Experts via the following path with the Chinook Data folder being a shortcut to 
the TR » Reports » Chinook folder (where EDW stores the EDW extracts). 


Chinook Cross Network TR Processing Suite » Chinook Data 


From the Chinook Data folder, each office copies and pastes the files needed (based on which modules 
they are using) and stores them into a specific shared drive; for nearly all offices, that is the 

Chinook Experts are instructed to delete the previous day's data sets such that no office maintains days, 
weeks, or months of EDW data extracts. Furthermore, the Module 3: 2S file is available for 
download daily, but is only replaced on a monthly basis by Chinook Experts. 


The table below describes the permissions for the main folder: Chinook Cross Network TR Processing 
Suite. 


Table 6: Data Stored in Chinook GC Docs Folder 


Folder Name and : | : 
Permissions (as of June 2019) Permissions (as of July 2019) 
Contents 


Public Access — Read only 


Chinook 


| Edit Access provided to some staff in the No change 
Contains the Chinook Tool 


Centralized Network Modernization 


Innovation and Business Solutions (MIBS)? 


* In each Case Processing Centre (CPC), there are innovation staff. For development of Chinook we used some 
MIBS employees. They have inherited the permission from their development work. 15-20 staff. 
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Some users are individually identified as 
having 'Public Access' allowing for Read, 
Add, and Modify, but not Delete. 


However, permissions are also granted to 
entire branches and the entire Immigration 
Program which supersedes those individual 
permissions. The group ‘Immigration 
Program’, which is all users with an 
immigration function, have full access 
(Read, Add, Modify, and Delete) 


Some users are individually identified as 
having 'Public Access' allowing for Read, 
Add, and Modify, but not Delete. 


However, permissions are also granted to 
entire branches and the entire Immigration 
Program which supersedes those individual 
permissions. The group '/mmigration 
Program’, which is all users with an 
immigration function, have full access 
(Read, Add, Modify, and Delete) 
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All Immigration Program Staff have Public 
Access — Read only. 


Full Access (read, add, modify, delete) is 
limited to six IRCC employees. Two on the 
IN Chinook Team, two on the CN Chinook 
Development Team, and two EDW staff who 
perform the EDW data extracts. 


All Immigration Program Staff have Public 
Access — Read only. 


Full Access (read, add, modify, delete) is 
limited to six IRCC employees. Two on the 
IN Chinook Team, Two on the CN Chinook 
Development Team, and two EDW staff who 
perform the EDW data extracts. 


It is noted that the six individuals have Full Access to the Chinook Data folder (technically the TR Folder > 
Report » Chinook folder), and can modify the data files. The risk is considered low due to the number of 


staff who have Full Access (six) and the general low risk that someone would intentionally or 


inadvertently change data in the folder. However, in order to upload/update Module 5 information ` 


IN staff must have ‘modify’ access to the folder and that ‘modify’ 


access at the folder level extends to all files within the folder. This is an assumption that requires 


validation with GCDocs experts. Furthermore, it is noted that all of Immigration Program has read only 


access to all data files in the folder; it is assumed that the entire program does not require such access. 


Privacy Risk Analysis of EDW Data extract Permissions in GC Docs 
The new permissions assigned to the TR Folder > Report > Chinook folder in July 2019 is clearly an 


improvement to the prior permissions (June 2019) which allowed Full Access to a large number of staff. 


However, two issues are present regarding the permissions to the EDW data extracts. First, six 


individuals can modify the folder and GCDocs permissions to ‘modify’ are mimicked at the file level. 


Therefore, there is a risk that one of the six users could inadvertently modify the EDW extract files and 


negatively impact the processing of applications in Chinook. IN will explore means for the EDW data 


extracts to be read only while also permitting Module 5 


folder. 
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Second, the EDW data extracts are accessible to the entire Immigration Program. Access to the data 
extracts should be limited to Chinook Experts and a small number of Chinook Administrators in IN and IT 
Operations. 


2.8 Chinook Module Set-Up 


Existing Chinook material/guidance suggest to staff Chinook files are loaded daily on the and 
follow the below set up procedures. 


The Chinook Expert of the local office creates a folder on the ‘or EDW data files. The file 
path for Chinook data is normally: Immigration Program » Chinook » Data. Reportedly, the 
Immigration folder is restricted to the Immigration section of the mission, which includes Canadian 
Based Staff (CBS) and Locally Engaged Staff (LES). However, permissions/restrictions on the 

across all approximately 53 offices was not obtained for this report. 


Once those data files are in the appropriate folder every day, the tool is ready for use. Daily, the 
Chinook SME for an office notifies staff that the daily Chinook data has been uploaded. 
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3. CHINOOK MODULE DESCRIPTION AND WORKFLOWS 


This section provides a description of the Chinook modules and how they are used by IRCC staff. 
3.1 Module 1: File Management 


To assist in efficiently processing TR applications, on a regular basis, IRCC management inform their staff 
— made up of CBS and LES — of the types of immigration files which they are responsible for processing. 
For example, a CBS may be tasked with working on files which have been designated for an expert 
Officer to review the application for eligibility. In the normal workflow, querying GCMS to assign these 
types of files to oneself is performed in several ways, which can be time consuming. They become even 
more time consuming when there are GCMS connectivity issues; e.g. mission server availability is slow. 


To address these issues and improve efficiencies, Module 1 (File Management) allows users to assign 
themselves work based on the Tasks assigned to them by Managers. Once a user assigns a series of 
applications to themselves, they can populate other Chinook modules (Module 3 and 4 for 
decisions/actions) or export the application data to MS Excel; the Excel spreadsheet promotes more 
efficient GCMS activities. 


In short, Module 1 is designed to assign a large group of files, up to 150, based on a pending Task in 
GCMS. The Tasks in Chinook align to a data field(s) and activity statuses in GCMS. 


While workflows may vary from one office to another, the following depicts a typical workflow in the 
utilization of Module 1. 


Step 1.0: Upload Module 1 Data File 
In this step, the IRCC Office Chinook Expert is the only person(s) with the rights to access the 


Administrator icon in Module 1 (red box in Image 1 below). While the gear icon is visible to all Chinook 
users, only assigned Administrators can navigate to the administrator area of Module 1. 


While other functions are available in the Administrator section of Module 1, the main function is for 
the Chinook Expert to upload the Module 1 data file from the office's which is depicted in Image 
2. 
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Image 1: Module 1 M 


Image 2: Module 1 Data Upload 
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It is noted that the Module 1 data extract is separate from the Module 3, Module 4, and Module 6 data 
extracts. 


The Administrator section of Module 1 also allows an Administrator to perform other administration 
tasks within the module, including adding another administrator (manage permissions) and modifying 
the priority of tasks presented to users in this module. 


Step 2.0: Notify staff of Daily Data Upload 
In this step, the Chinook Expert ensures staff are informed that the daily Chinook data files have been 
uploaded to Module 1. 


Step 3.0: Search and Review Available Tasks 
In this step, users open Chinook in read only format and assign themselves with the type of Tasks 


management has instructed them to process. To generate a list, a user utilizes the area 
of the Module 1 Main page (see green box in Image 3 below). From this area, the following search 
criteria are available to the user: 


Assigned To: a specific IRCC employee 
Primary Office: a particular Primary Office 
C. Responsibility: the title of an IRCC employee or the type of responsibility activity required for 
the applications. The Responsible Parties are: 
1. Client 
2. Officer 
3. Program Assistant 
4. Third Party 
5. Unit Manager 
D. Processing Stage: one of the 19 stages of a TR application process: 


E. Language: auser can identify applications which require responses to the Client in English, 
French, or both. 


The above five search options are visually depicted in the image below; the lettering above corresponds 
to the lettering in the area of the image below (see green box). 
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Image 3: File Management/Module 1 — Generate List Criteria 


While the number of Tasks and the priority (the order in which they are sorted/presented to the user) of 
those Tasks may vary from office to office, there are 170 Tasks available for assignment in Module 1. 
The default Tasks and priorities are based on the logical process flow of a TR application; however, 
offices have the capability to edit the selection and priority of Tasks. The Tasks in Chinook equate to a 
data field(s) in GCMS, which varies from one Task to another. Each of those Tasks were analyzed for 
privacy risks and no risks were identified?. They are simply events that occur in the submission and 
processing of applications which require actions by IRCC or the client to allow the application to reach a 
conclusion/final action (approved, refused, withdrawn, other). The following provides a few examples 
and descriptions of available Tasks; others can be seen in the above image (red box): 


> The consultant analyzed an Excel spreadsheet titled ‘Mod 1 SOPs’ which lists each task, the type of employee 
responsible for each task, and the action required of that employee. 


Protected A 23 


A4144594 23-000031 


$ Immigration, Refugees Immigration, Réfugiés 
and Citizenship Canada et Citoyenneté Canada 
Information disclosed under the Access to Information Act 


s.16(2)(c) 


L'information divulguée en vertu de la loi sur l'accès à l'information 


Chinook PRA; Version 3.0; August 22, 2019 


10 of the 170 SOPs require the IRCC employee to navigate to Module 3 (and can only be performed by 
Officers/Decision Makers), while the others require various types of activities to be performed by 
Program Assistants, the Client, the Unit Manager, and Third Parties. 


Step 4.0: Self-Assign Tasks and Navigate to Module 3 
In this step, the user selects the Tasks a manager has instructed her to process. As an example, in the 


image below, the user (Responsibility = Officer) selects the Task of 
. The Officer can select more than one Task, but in the image below only one Task has been 
selected. Once the Task(s) is highlighted, the user selects the number of applications to assign to herself 
and selects ‘Generate List’. Chinook does not permit a user to select/self-assign more than 150 
applications. In the image below, the Officer assigns 150 of the available 363 applications with a Task of 
Subsequent to selecting ‘Generate List’, the 150 applications are 
populated in the field titled 'List of Applications'. In the example, after the Officer is finished with 
Module 1, she navigates to Module 3 where her GCMS User ID identifies those applications which were 
self-assigned in Module 1; they are now available to the user for processing in Module 3. 


Step 5.0: Self-Assign Tasks and Create MS Excel Spreadsheet 
While some users will select “Generate List’ and navigate to Module 3, others do not use Module 3 — 
non-Decision-Makers (those who do not have the ability to make decisions in GCMS; e.g. Responsibility 
- Program Assistant). However, Module 1 is still beneficial in that those users can export Tasks in 
Module 1 to MS Excel where the data is used to efficiently perform actions in GCMS. For example, a 
user with the Responsibility of Program Assistant assigns 150 Tasks titled ' | 

For this specific Task, the TR application has been approved and a letter must 
be sent to the applicant requesting she submit her passport so that IRCC can affix a Visa to the travel 
document. Therefore, the Program Assistant selects ‘Open Results in Excel’ (and not ‘Generate List’). 
Subsequently, the Tasks being self-assigned are populated in a newly created MS Excel spreadsheet 


which contains the following information/column names: 


Task Name 

Application Number 
Application Received Date 
Group Number 

Assigned To (IRCC staff) 


A i pcdes 


Subsequently, the Application Numbers from that Excel spreadsheet are used to generate passport 
request letters in GCMS. Depending on the type of Task, GCMS's grouping functionality may assist in 
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efficiently performing actions on multiple applications; however, grouping of applications is not 
available for all Task resolution activities. 


The MS Excel document created by the user is stored There is no 
formal instruction, such as an SOP or Program Delivery Instruction (PDI), which instructs staff or 
provides guidance on storing and purging any locally stored Chinook data files. 


Assigning Files in Module 1 Which Mis-Align to an Employee's GCMS User Role 
Within Chinook, it is possible for any user to assign themselves any Task. For example, an employee 


with the Responsibility of Program Assistant can assign herself a Task that requires action on the file in 
Module 3. However, a Program Assistant is not a Decision Maker and would not action a file in Modules 
3 and 4. If this were to occur, the user may even be able to open the application data in Module 3 and 
record intended decisions in Module 4. However, the eventually decisions must be recorded in GCMS 
and the individual's base/functional user role in GCMS does not allow her to perform those actions in 
GCMS. 
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3.1.1 Record Search Utility 


The Record Search Utility (i.e. the magnifying glass icon in Image 3) is active for all users. However, most 
users can only search for records associated to their own GCMS ID within Chinook. Conversely, those 
with the Administrator role can search for any records. 


After selecting the magnifying glass icon, the image below is presented to an Administrator. Based on 
the search parameters entered, a user is presented with defined search results. For example, this allows 
Administrators the ability to view the number of files (and Application Numbers) assigned/processed by 
a particular user. It can also allow the Administrator to see details of a single Application Number. 


Image 5: Record Search Utility 


Processed File Details 


3.2 Module 2: Pre-Assessment "wm — 


Chinook’s Module 2 allows for users to complete pre-assessment tasks on a file. In short, Module 2 
allows for a series of tasks to be completed on an application by a Program Assistant to assist the 
Officer/Decision-Maker when they assess an application and make a decision. Note that Module 2 does 
not require a specific extract from the EDW. 


In the normal course of processing TR applications, Program Assistants are assigned pre-assessment 
tasks, such as documenting an applicant's 

| as well as others. Generally, pre- 
assessment activities verify information in the application and its supporting documents. The outcome 
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of those pre-assessment activities is the creation of a note on the application which assists the Visa 
Officer in finalizing a decision on the application. Historically, those notes are time-consuming and 
inconsistent in the level of detail. 


Within Chinook, a user completes a pre-defined checklist for a particular TR application type. Once the 
checklist is complete, a standardized note is generated which is copied and pasted in the © 
field in GCMS. The following provides a description as to how Module 2 is utilized. 


Step 1.0: Identify Relevant Tasks from Module 1 
The use of Module 2 begins with the identification of pre-assessment Tasks in Module 1. Once a user 


has selected a group of Tasks in Module 1, the IRCC staff person (LES or CBS) selects the option of “ 
That MS Excel document is stored locally on the user's 


The data available to the user in this MS Excel document is detailed in Section 3.1 
(Step 5.0), but duplicated here for ease of reference: 


Task Name 

Application Number 
Application Received Date 
Group Number 

Assigned To (IRCC staff) 


pos elder 


For the purposes of Module 2, from the generated MS Excel spreadsheet, only the Application Number 
Is utilized. 


Step 2.0: Copy/Paste Application Numbers into Module 2 
In this step, the Application Number(s) is copied from the MS Excel document and pasted into Module 2. 
In the image below, a single Application Number or multiple Application Numbers can be pasted into the 
| section of the Module 2 Pre-Assessment starting page. Lastly, a selection is made 
regarding how the applications are presented/ordered in the resulting list. For this workflow, 

k ‘is selected (see green box). 
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Image 6: Pre-Assessment Start Page/Pas 


ication Numbers 


Medule Z - Pre-Assessment 


Step 3.0: Assess Applications 
By toggling to the ' tab, the first application in the list is presented to the user with a summary of 
general application information (green box in the image below): 


Group #: if the application is part of a Group in GCMS 
Application Number 

3. Category: the category of an application; specifically, V-1, PG-1, B-1, VH-1, CAN+, SX/WX-1, Ret 
SP/WP, SP and WP^ 

4. Citizenship, and 

5. Country of Residence (CoR) 


^ V-1 = Visitor; PG-1 = Parent/Grandparent Extended Stay, B-1 = Business Class; VH-1 = In Transit; CAN+ = CAN + 
Program; SX/WX-1 = Short Term Study or Short Term Work; Ret SP/WP = Returning Student Permit Holder/Work 
Permit Holder; SP = Study Permit; and WP = Work Permit. 
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From this screen, the user can select previous or next file on the list while a check box reflects whether 
the Pre-Assessment task has already been completed for a particular application (see red box in the 
image below). 


Image 7: Pre-Assessment Start Page/I 


LA e 


Once the user decides to work on a particular application, she selects the appropriate tab, which is 
based on the Category (V-1, PG-1, etc.). 


Assuming the application presented in the ' tab is a V-1 application, the user selects the 'V-1' tab 
(see image below) and completes the Pre-Assessment tasks. For V-1, the tasks are seen in the below 
screenshots/images. Note the screen shots are showing what the user sees as she scrolls down through 
the V-1 pre-assessment (see series of green boxes). 


The type of information recorded in Module 2 varies from one Category to another; however, all data is 
related to the application. There is no new data being recorded in Module 2 that is not already; if the 
user was not utilizing Chinook, these same pre-assessment tasks are recorded in the normal GCMS 
workflow. 
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Image 8: Pre-Assessment of V-1 Application (1 of 3) 


^H 
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Image 9: Pre-Assessment of V-1 Application (2 of 3) 


Module 2 - Pre-Assessment 
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Image 10: Pre-Assessment of V-1 Application (3 of 3) 


Module 2 - Pre-Assessment *X 


Step 4.0: Generate Note and Paste into GCMS — 
Once the pre-assessment tasks are completed, the user selected 'Generate Note' (see green shaded box 
in the above image) and Chinook creates a pre-defined note based on the selections made during the 
assessment. The following is an example of the type of note Chinook creates for the user: 


IMM STATUS CoR: Citizen | TH: UK/USA/Europe/ | PA: | INCOME: 50000PHP/Bi-Week-Pay 
slips| SAVINGS: 75000USD *Lump Sum*-Hist: Provided-Bank Statement |HOST: PA's 
Child; PR STATUS IN CDA; | ADD. INFO: |See Notes in GCMS |JG15841 


Once that note is presented to the user, it is copied and pasted into GCMS. Specifically, as seen in the 


image below, it is pasted into the free text field called ' As noted in the Advanced 
Analytics (AA) PIA, the field is a free text field that has multiple uses across the 
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Department. In contrast to the AA PIA, this PRA has not identified any privacy risks related to the use of 
the field to record the Pre-Assessment Note. 


In the future, an existing Change Request is being actioned which will allow for a dedicated field for the 
above note; Chinook users will no longer use the field. At the writing of this PRA, the 
deployment date for this new data field is undetermined but linked to the Dynamic TR Webforms. 


It is noted that the Pre-Assessment Notes from Module 2 are also populated in one of the fields in 
Module 3; specifically Column G (see Table 7). 


Image 11: Pre-Assessment Note Pasted into GCMS 


3.2.1 Customization of Module 2 


Chinook provides default settings for each application type, which requires assessments to be made 
across the following areas of an application: 
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While default settings are set when Module 2 is utilized, IRCC offices are permitted to customize the 
checklist items. For example, in Image 8, in the section heading of there are multiple 
customized checkboxes which would allow an office to reflect that t is 
identified. That customization would be reflected in the note generated by Chinook. 


While certain areas of Module 2 are customizable, the 12 headings listed above cannot be altered; 
additional headings cannot be added by a user. 


3.3 Module 3: Decision-Maker 


Module 3 is designed to assist a user in making decisions on TR applications in bulk. The goal of Module 
3 and Module 4 is to increase the quantity and quality of decision making by compiling, in one place, the 
pertinent information required for making decisions. From a single location, the data can be reviewed 
more easily and effectively along with 


This module introduces a better viewing platform to review application information of numerous files at 
the same time. Most of the information in Module 3 is GCMS data from the Module 3 EDW data 
extracts. The only exceptions are the following: 


Column D: Action —Chinook user records their intended decision on the TR application. 
Column G: Pre-Assessment Notes — if the office uses Module 2, the note created in Module 2 is 
auto-populated in this column. 


3. Column Z: Module 5 — see Section 3.5. 
4. Column AA: — see Section 3.3.2. 
5. Columns AB through AG: — See Section 3.3.1. 


The following tables provides a description of the Module 3 columns. 


are made once assessments are completed on an application. 
Working Note regarding the application such as ‘Request PG-1’ or 


F. Assessments Rollup 


Client and Application Information Section (Columns G through U) 
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G. Pre-Assessment Notes Notes from any pre-assessment done in Module 2 
If the user hovers over this field, the long form narrative of the 


H. Verbose Client Information application is presented to the user. An example is provided in the 


image below. 


l. Category Counterfoil category (V-1, PG-1, etc. ) 
J. Special Program Code (SPC) e.g. CUS 


Q. Purpose of Visit 


R. Purpose of Visit Information 


Pome [LL 


S. Activity and Employer/School/Facility 


T. Self Declared Travel From application; e.g. USA 2019-May; Japan 2018-Jan. 


GCMS Information Section (Columns V through Y) 


V. Previous GCMS History 


7 Module 5 are identified in this column — 
see Section 3.3.3 
AA. See Section 3.3.2 


BENE mE 
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Image 12: ' 


Step 1.0: Open Chinook Module 3 
At the onset of using Module 3, the following disclaimer is presented to all users as a pop-up dialogue 
box. Users must select ‘OK’ before proceeding with the use of Module 3. 


“THE PRESENTED IN CHINOOK ARE FOR INFORMATION PURPOSES ONLY 
AND ARE NOT PREDICTIVE. OFFICERS MUST REVIEW ALL APPLICATIONS ON THEIR OWN 
MERIT. 


The percentages referenced in the above notice is related to the, columns in Module 3 
which are described later in Section 3.3.1 below. Furthermore, the references to exemptions under the 
Access to Information Act have not been reviewed by IRCC ATIP. 


Users are informed to open Module 3 in Read Only; however, there are instances wherein Officers have 
saved the file on is 
unknown. 
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Step 2.0: Select Appropriate Module 3 Data File and Customize Columns 

To start using this module, an Officer/Decision-Maker navigates to the module's set up screen (the gear 
icon). In the Set-Up screen, the user enters their Region, GCMS ID, and the Data File being queried 
(located in the office's - While most staff do not require access to more than one data file, a 
small number of IRCC employees are decision-makers for multiple regions and will need to ensure they 
select the appropriate regional Module 3 data file. 


Furthermore, via the 'Module 3 Options' (see green box in below image), a user can activate/deactivate 
various columns, as well as deactivate/activate the columns. 


Image 13: Module 3 Basic Setup 


VEGDULE 3 - Decision Maker — oe Ed 


Further customization can be achieved by selecting the “Column Setup” tab in the above image (see blue 
box), which presents the user with a series of check boxes. By de-selecting an option, Module 3 will 
remove that column from view. Through anecdotal reports, more experienced Officers often de-select 
the columns through the Basic Setup or Column Setup feature of Module 3. 
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Image 14: Module 3 Column Setup 


RIODULE 3 - Decision Maker — La x< 


Step 3.0: Load Assigned Applications 

To populate applications in Module 3, a user can rely on activities performed in Module 1. Data can be 
migrated into Module 3 through Module 1 via two methods. First, the Tasks that are self-assigned in 
Module 1 can generate an MS Excel document. From that Excel spreadsheet, which is most likely stored 
on the i 22 the string of Application Numbers can be copied/pasted into Module 3; 
identical to how Module 2 data is populated. Second, by entering in their GCMS User ID in Module 3, 
the Application Numbers (assigned via Module 1) are auto-populated in Module 3 — the GCMS User ID 
must be entered in Module 1 and subsequently entered in Module 3 via the gear icon. 


As Chinook is used for paper applications as well, Module 3 also supports the scanning of a paper 
applications. To scan applications, the user selects ' and a separate window is presented. 
Using a 2d bar code scanner, the user can scan the bar codes on paper applications. In the image below, 
the user has selected and the scanning dialogue box is presented to the user. 
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Image 15: Module 3 — Scan Applications 


Step 4.0: Receive Assignments from Manager (Alternative Workflow) 

It is noted that some managers will identify Tasks to be assessed/actioned by their employees in Module 
1, populate Module 3, and subsequently email their staff personalized Chinook files. Unlike the normal 
work flow, which requires staff to open Chinook in ‘Read Only’ and not: this 
assignment activity by a manager results in a copy of Chinook being stored ¢ 


Step 5.0: Record Decision in Column D (Action) 

Once applications are assigned to a user (either self-assigned or via a separate Chinook document), the 
Officer utilizes the spreadsheet to make decisions on up to 150 applications which are presented in this 
module in rows. This allows for the consideration of GCMS data and other information to support a 
decision. The three decisions in Chinook/GCMS are: Approved, Refused, and Withdrawn. In Chinook, 
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there is also 'Other' which means the application is not ready for a final decision; e.g. the file needs 
meds or screening. 


Once a decision is made, Module 4 is utilized. While Chinook and this deliverable separate Module 3 
and 4 as distinct and separate, both modules are incorporated into the same worksheet. 


3.3.1 


Columns AB through AG provides statistical information based on 


Chinook uses the profile information provided in the 


The following three examples illustrate how each of the above three rules apply: 
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Section (3 and 6 filters) 
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Prior to the use of Chinook, IRCC staff considered 


- . 5 . = a — = P ari 


The identification of these developed by SMEs through an assessment of past 
applications and testing of new applications to determine the efficacy of the criteria. The starting point 
for IRCC's identification of for Chinook began with analyzing the 


There are some similarities to the 
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In addition to similarities to the , the 


The as well as the accompanying business rules, were not approved formally, but 


informally; i.e. the Director General of IN did not formally approve of the criteria and business rules but 


was aware of the work being performed and, once tested and validated, they would be incorporated 
into Chinook. 
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Privacy Risk Analysis - Notice 
From a privacy point of view, several factors of the information were considered. First, 


as it relates to notice, a minor risk was identified. The consultant does not believe the presentation of 

; predictive analytics, or is remotely close to the activities described in IRCC's AA PIA, 
however, the enhancements to transparency and notice stemming from that PIA are robust enough to 
account for the presentation and consideration of statistical data | within 
Chinook. Furthermore, it is sufficient for the | as well. 


Considering the AA PIA focused entirely on TRV applications and the use of IMM 5257 (Application for 
Visitor Visa), the consultant also analyzed the notice provided in applications for SPs and WPs; 
specifically, for IMM 1294 (Study Permit Application) and IMM 1295 (Work Permit Application). IMM 
1294 (SP Application) and IMM 5257 (Application for TRV) contains the following information, in part, in 
the Privacy Notice Statement (PNS): 


The personal information collected on an application, and other information collected in 
support of an application, may be used for computer analytics to support processing of 
applications and decision making, including your application. Personal information, 
including from computer analytics, may also be used for purposes including research, 
statistics, program and policy evaluation, internal audit, compliance, risk management, 
strategy development and reporting. 


In the opinion of the consultant the above text adequately meet the Notice requirements related to the 
use of However, it is noted 
that a similar paragraph does not exist in IMM 1295 (WP Application). Therefore, this PRA identifies this 
risk with a recommendation to include the above statement in IM 1295. 


Privacy Risk Analysis - Accountability 
Second, as it relates to the creation of the section and the use of : 


there is a risk related to the privacy principle of Accountability. That risk is that there is a missing 
governance structure for the creation, modification, and use of the sections in Chinook, 
as well as other aspects of the tool. The lack of an appropriate and formalized governance framework in 
the deployment of Chinook extends to, at least, the following: 


| Dor ~~ in Module 3 
2. Modules ` as noted later in this report, there are approximately in operation 
which were not formally approved through an approved governance structure. 


TE 
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3. similarly, the creation and approval of i should be formalized in 
governance such that it remains a section to identify There is a risk it 
could result in the creation of and not its current use of assistance in triaging. 


In the risk section of this report, a recommendation suggests a governance structure for all of Chinook 
should be formalized, which will, in part, prohibit the deployment of new criteria or the modification of 
existing criteria without formal approval from an 'Officer of Record'. 


Furthermore, a separate risk under the principle of Accountability suggests the use of the 
must be justified — the effectiveness and necessity of the tool must be recorded to allow the tool to be 
used and 


Privacy Risk Analysis - Accuracy 
Third, there is a risk related to Accuracy regarding the : in Module 3. While the TR 


SMEs tests of prior data suggest the © are relevant factors for officers to consider, there 
should be further assessments/tests scheduled in the future to ensure those criteria remain relevant 
and valid. Along with that requirement, it is further suggested that statistical data is maintained on 
further assessments and are considered by the ‘Officer of Record’ prior to the addition or modification 
of criteria. 


Privacy Risk Analysis — Necessity and Effectiveness 

Fourth, for this PRA, the consultant does not support a deep analysis of the Four Part Oakes Test’ 
regarding the use of however, there is a need for IRCC to at least be confident that the 
presentation of data across the is necessary and is effective in meeting a need. Because 
senior officers deactivate columns and temporary staff may be 

BEA | IRCC should ensure the criteria are being used by staff, are 
effective | and that statistical data continue to support the use 


of | | and the corresponding business rules (accuracy). 


Privacy Risk Analysis — Impact of TBS Directive on Automated Decision Making 
Lastly, there is a correlation to the use of the | columns and the TBS Directive on 


Automatic Decision Making. While the consultant believes significant differences exist between 
predictive analytics and the presentation of statistics (i.e. | 

s RCC must determine the implication, if any, of that Directive on the 
development and deployment of Module 3 and Module 5. It is the opinion of the consultant that 
Chinook does not deploy predictive analytics and that the TBS Directive on Automated Decision Making 
does not apply. 


’ The OPC expects PIAs that are particularly intrusive or privacy invasive to be analyzed against the Four Part Oakes 


Test; see Section 2.1 of the OPC Expectations: A Guide for Submitting Privacy Impact Assessments to the OPC. 
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3.3.2 Section - 
In Module 3, Column AA, is a data field which presents for all offices or 
specific offices. The identification of an application that contains any of the is utilized for 


triage purposes only. | 


. If an application contains any of the keywords, 


instruction is provided to the officer via Module 3, Column AA, - 


The existing - - (as of July 2019), which are enumerated in the table below, were approved for 
use without a formal approval process. The l MEM were in 
use prior to Chinook, therefore, they were added without the approval process. Furthermore, the 

-~ for all offices were added by IN staff to support triaging. However, beginning in or around 
Summer/Fall 2019, the addition or deletion of keywords will be managed through a Module 5 
submission template, which requires approval from the RAOC in Ottawa although any 
will not reviewed as thoroughly as a Mod 5 indicator as the purpose of local triage only. A specific 
template has not been created yet but will likely be similar to the template used to submit request for a 
Module 5 


The current list of - the offices for which the . apply, and the value displayed in Module 3 
Column AA is listed below. 


Table 8: List of in Module 3/5 


NEM  .— Applicable Office Data Value in Module 3, Column AA 
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3.3.3 Section — Module 5 
Once a Module 5 s approved by the RAOC, it is presented to users in Column Z. A description of 
the existing Module 5 and the approval process is provided in Section 3.5. 


3.4 Module 4: Post-Decisions 


Module 3 deals with informed decision-making; Module 4 deals with terminal actions from those 
decisions. While seen as a separate module, the decision in Chinook is performed by selecting the 
Actions Column in Module 3. When selecting a particular cell in this column, the following dialogue box 
Is presented to the user. 
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Image 17: Refusal Action and Note 


In the example above, the user has decided to refuse the TRV based on the refusal ground of 'Length of 
Stay'. In selecting the checkbox for 'Length of Stay' a standardized Refusal Note is auto populated by 
Chinook. That note can be modified (edit or add detail). 


After several decisions have been actioned, the user can utilize GCMS's bulk approval/refusal function in 
order to copy/paste TR application decisions (and the notes). 


In the image below, the Officer has approved eight applications and refused one (red box). Two of the 
approvals include a ‘Working Note’ specifying that the approval is for a singly entry only (blue box). 
Moreover, five of the application numbers are associated with an existing Group in GCMS (green box). 
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Image 18: Selection of a Group of Files for GCMS Action 


The user selects all nine applications (via the Action column) and Chinook creates a separate workbook 
is created in MS Excel — separate from Chinook (see Image 19). This new worksheet is most often saved 
that office. 


Image 19: Separate MS Workbook Created for Approval Lists 


Within that new MIS Excel spreadsheet, each set or tiles (set, groups, or single application numbers) is 
presented in one of several tabs for ‘Approvals’, ‘Refusals’, ‘Withdrawn’, or ‘Other. As seen in the 
image below, which depicts the Approvals Tab, each set of files is organized as follows: 

1. All Files Query String: includes all files designated for that action 

2. Single File Query String: includes all files that are not presently in groups. 

3. GroupFile Query String: String of all groups containing the files for action. 
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Image 20: Separate MS Workbook — Approvals Column 


Bulk Approvals 
In the above image, there are nine applications to be approved, all of which are applications within a 


group. To action a bulk approval, it requires the creation of a Temporary Group where all actions can be 
assigned; however, GCMS does not permit more than one group to be assigned to a particular 
individual. Therefore, for any applications which are already in a GCMS Group, the existing group must 
be closed before a Temporary Group is created and bulk actions are performed. 


To close an existing group, a user copies the ‘Group File Query String’ (red box) from Image 20, and 
pasted into the ‘Groups > IMM’ Screen of GCMS (see Image 21). Subsequently, the search presents all 
the groups and the ‘Status’ of each is changed from “In Progress’ to ‘Closed’ (see red box in Image 22). 


Image 21: Close Existing Group Numbers (1 of 2) 
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Once the existing GCMS Group is closed, existing Bulk Action activity in GCMS is performed. To perform 
Bulk Actions (e.g. Approval, Refusal) in GCMS, a Temporary Group is created. Once created, the user 
copies the ‘All Files Query String’ (see Image 20; blue box) and performs the bulk approval. 


Refusals 

In Image 20, there are three tabs for Refusals: Refusal (1), Refusal (2), and Refusal (3). The actions for 
bulk approvals is the same for bulk refusals, except that Chinook creates a separate worksheet in Excel 
for applications with the same grounds for refusal. Therefore, in Image 20 (see the green box), there are 
three worksheets containing applications with three types of refusal grounds. 


3.5 Module 5: Indicator Management 


Module 5 (Indicator Management) allows for new and existing risk indicators to be created and viewable 
in the ‘Module 5 | | columns of Module 3 (Column Z). 


The 'indicators being identified automate what is already created in the form of quality assurance 
(QA) reports. For example, ( 
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The results of the QA report are communicated to staff and are considered in the processing of future 
applications. 


Therefore, Module 5 was initially created to allow IRCC to build indicator rules for both 
positive and negative factors. To ensure biased and unwarranted risk indicators are not created, IRCC 
has developed guidelines and a process by which its global network of Risk Assessment Officers (RAOs)*° 


can request the creation of risk indicators in Chinook. 
As of June 2019, the process and guideline were recently introduced. The workflow described below 
will be followed in the future. However, the current inventory of Module 5 rules (shown to the user in 


Module 3) did not follow the guideline, but were assessed by IN's RAOC, who is responsible for 
approving all Module 5 rules in the future. 


The consultant did not review all of the existing rules, but reviewed a sample size of 17. The following 


are five of those 17. If the criteria are met, ' 


Example 1: 


Example 2: 


1? There are approximately 20 RAOs across the IRCC international network. . 
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Example 3: 


Example 4: 


Example 5: 
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Going forward, IRCC is establishing a more robust assessment process and tools. Module 5 is used to 
submit requests to approve a new For most users, their installation of Chinook Module 5 contains 
only the Module 5 Submission Template, which a RAO completes to seek approval of a new For 
IN's RAOC, who is responsible for approving and denying requests, Module 5 allows her to create the 

such that it is identified in Module 3. In Module 3, the /nstructions to Officer is provided; not the 
criteria or rationale. That criteria and rationale are only stored in the Module 5 tool and accessible to 
the RAOC. 


The following high-level workflow explains the process of a RAO submitting a template, the approval 
process, and the creation of the in Module 5 and Module 3. 


Step 1.0: Perform Risk Assessment; and 


Step 2.0: Complete and Submit Module 5 Template 
As of June 2019, RAOs, of which there are approximately 20, can refer to the- 


in their QA report and risk analysis and the Chinook Mod 5 Indicator 
Submission Template to assist with documenting the source criteria, logic and rationale in the creation 
of sound risk indicators. The tools available to RAOs to support the creation of were 
being revised at the writing of this deliverable. 


In Step 2.0, the RAO completes the Chinook Module 5 Indicator Submission Template (herein referred to 
as the Mod 5 Submission Template). It is noted that Module 5 can be used to identify both risks 

and opportunities( `` K TIT -` The Mod 5 
Submission Template requires the following information: 


1. Summary of the Submission: a free text field which provides a brief summary of the desired 
indicators and justification for the creation of an indicator(s). 
2. Source: a drop-down menu requires one of the following values: 
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3. Rule Origin: a drop-down menu requires one of the following values: 


g. Name of a specific RAO (one of 20 RAO offices; e.g. RAO Mexico, RAO Singapore) 
4. Rule Type: a drop-down menu requires one of the following values: 


5. Criteria: The user selects the type of criteria or filters that will be used to identify 

applications/clients. These criteria will be filtered by Chinook. As an example, t 
. Staff are instructed to be precise and do not 

suggest criteria that captures too wide of a group. Annex A of the Mod 5 Submission Template 
provides a list of 200 available filters from Module 3 (n=79) and Module 1 (n=121); however, 
the user is prohibited from selecting filters/criteria from Module 3 and Module 1; all criteria 
must be from Module 3 only; or Module 1 only. 

6. Validity Period: « 


7. Justification: if requesting a 
8. Rule Logic: a short explanation of the logic for creating the new indicator. For example, ‘the 


9. Rule Instructions: the instructions that are displayed to the user of the criteria are met. For 


” L] 2 ras P ra a ros 


example, ‘ 


11 These Rule Types have been identified by IN and are supported by Integrity Risk Management (IRM). Other 
types may be added in the future, but are not anticipated as of July 2019. 
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10. Other: to provide any other pertinent information which could not be included in other sections 
of the template. 


Once completed, the completed Mod 5 Submission Template is saved locally by the RAO and emailed to 
IRCC.INRAO-AORRI.IRCC @cic.gc.ca. 


Step 3.0: Review and Approve/Deny Module 5 Indicators; and 

Step 4.0: Action Mod 5 . 

At the writing of this PRA, one person identified as the IN RAOC has been designated as authority to 
approve, modify, or reject the indicators submitted. The existing process to approve is a subjective 
assessment by the RAOC; however, a framework for the approval, revalidation, tracking, audit, and 
removal of Module 5 is being developed, but was not available for assessment by the privacy 
consultant. Once approved, the RAOC creates a Module 5 which is depicted in the image below. 
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Step 5.0: Resubmit Module 5 Template (Renew Existing Indicator 
Risk indicators remain valid [see red box in the above image). 


may be adjusted in the future. 


When the , the requesting RAO must revalidate and resubmit the Mod 


L| = LE a J lr Ar. 


5 Submission Template to | However, IN is current determining if this 


approach can be modified and risk indicators can be scored automatically so that the RAOC is able to 
perform other necessary functions of the position. 


Step 6.0: Maintain Module 5 Indicator Repository 
IN’s RAOC will maintain a repository of rules which will define the date 


3.6 Module 6: 


a QA report of Module 3 


The Module 6 


Through this module, IRCC is trying to solve the issue of 
and is meant to provide more value-added feedback to officers and to identify gaps in training to be 
addressed. 
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Image 24: e 6 Reporting Dashboard 
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4. SUPPORTING ACTIVITIES 


This section provides a description of various activities that support the use of Chinook and have been 
deemed relevant to this PRA. 


4.1 Data Storage 


The issue of data storage and the risk of multiple data repositories was considered in this PRA. 


First, when employees utilize Chinook, support staff continually advise that users open Chinook in ‘Read 
Only'. This assists with preventing corruption issues in Excel, various add-ins, and prevents multiple 
copies of Chinook being stored on local drives. However, there is a risk that users select 'Save As' and 
maintain a separate installation of Chinook and GCMS data. 


Second, as it relates to the potential for EDW data extracts to be emailed from one user to another, the 
file size of the extracts are very large. Module 3 data files exceed 100 MB which can't be emailed, while 
Jata files are smaller but are often in excess of IRCC's 10MB file limitation for email 
attachments. Therefore, it seems impossible or very difficult for a user to email a copy of any EDW 

extracts which are saved on the office 


Third, there are instances wherein a Manager/Supervisor identifies Tasks to be assessed/actioned by 
their employees in Module 1, populates Module 3 with up to 150 assigned Tasks, and subsequently 
emails the populated Chinook file (Mod 3) to the employee. Unlike the normal work flow, which results 
in staff opening Chinook in Read Only (and no local copy is stored), this assignment activity by a 
manager results in a copy of Chinook being stored on 


Fourth, in Module 1, 'Open Results in Excel': The MS Excel document created by the user is stored 
locally on the individual's However, this does not involve a data file with significant personal 
information. It only contains the following: 


Task Name 

Application Number 
Application Received Date 
Group Number 

Assigned To (IRCC staff) 


MI cm P ME 


During training, Chinook Experts inform all users that local copies of Chinook or MS Excel files must not 
be maintained. However, there is no formal instruction, such as an SOP or Program Delivery Instruction 
(PDI), which documents that mandate. 
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In the end, it appears that Chinook requires training and awareness to all staff regarding the localized 
storage and retention of Chinook data. Such training and awareness should encourage ‘Read Only’ 
versions of Chinook; however, where localized storage must occur, deletion must be performed in a 
sufficient timeframe; i.e. delete all localized copies and emails containing Chinook/GCMS data. 


4.2 Information Management 


In review of the information in Chinook, most Chinook data is a copy of data from GCMS. Therefore, 
from am information management (IM) perspective, Chinook seems to be transitory data. However, the 
presentation of | in Module 3 and the creation of Module 5 indicators 
(presented to users in Module 3) may not be considered transitory information. Therefore, it seems 
necessary for IN to collaborate with IRCC IM to determine if Chinook, in its entirety or portions thereof, 
are transitory or if Chinook is a System of Record (SOR). 


From a legal perspective, and not a privacy one, there is a need for a file's progress and officer 
considerations to be traced. Understanding and being able to replicate the considerations and decisions 
of an Officer is sometimes integral to court proceedings involving refused TR decisions. Two points are 
made regarding this nuance to Chinook. 


4.3 Security of Module 3 Module 5 


During the preparation and completion of the AA PIA, risks were initially identified related to the 
security designation of those rules. As a result of those risks, IRCC determined the 

While the Module 3 columns and Module 5 (presented in 
Module 3) are not opined to be the use of predictive analytics, the security designation of that 
information should be analyzed by IRCC. 


The Module 5 - five of which are duplicated in this PRA, may reach the threshold of Secret, but that 
should be determined by IRCC. 


Regardless of the consultant’s opinion, it is IRCC’s Departmental Security Officer (DSO) who is the 
Department’s authority on the designation/classification of Protected/Classified information. The DSO 
should be consulted to ensure proper protections are afforded the data described in this section. 
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5. PRIVACY RISK ANALYSIS 


The privacy risks below were identified after analysis of the previous four sections of this PRA. 


The level of risk assigned to each of the risks was based on three existing IRCC documents. First, as 
recommended by IRCC's Corporate Risk Profile for FY 2016-17, the IRCC 15-minute risk assessment tool 
was utilized which includes a 3 x 3 matrix (Impact x Probability). Second, to assist in assessing the 
impact, IRCC's Common Risk Impact Scale (CRIS) was used. The CRIS includes specific guidance and 
examples related to privacy and security. Third, to assist in assessing the probability, IRCC's Common 
Risk Probability Scale (CRPS) was used. The outcome is reflected in the ‘Risk Assessment’ description for 
each risk below. 


In the completion and assessment of this PRA deliverable, the consultant agrees with IRCC's stance that 
a PIA is not required. The most prevalent argument for not authoring a PIA is that, in the opinion of the 
consultant, the use of Chinook does not meet the 'substantial modification' threshold as defined and 
described in the TBS Directive on Privacy Impact Assessment. 


5.1 Accountability 


Risk 81: There is a risk that the | in Module 3’s | Section is inaccurate, 
ineffective and unnecessary in the processing of TR applications. The use of the criteria may result in 
significant and unnecessary on while most 
senior staff de-activate the columns. 


Risk Assessment:| Possible/Medium 


Recommendation: It is recommended that IRCC validate the necessity and effectiveness of the 
such that it supports the continued presentation of the criteria in Module 3. 
Specifically, determine if the columns are being considered/reviewed by staff, are effective (including no 


and that ongoing statistical data/analysis continues to support the use of the | 
criteria and the corresponding business rules. 


Risk #2: There is a risk that Chinook is not a temporary tool and that it will be a long-term solution to 
assist in the processing of TR applications. Moreover, it could be expanded to process other IRCC 
applications. This deliverable reflects IRCC’s current plan to use Chinook as a model for business 
requirements; i.e. TDSS will build GCMS functionality, or similar tool which integrates with GCMS, such 
that Chinook is no longer required. However, considering Chinook was built, in part, because GCMS 
access/connectivity is slow and/or unavailable at times, the consultant questions how TDSS will be able 
to replace/decommission Chinook. 


Risk Assessment: 
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Recommendation: It is recommended that IRCC consider this risk and ensure contingency plans are in 
place to ensure proper privacy protections are in place if Chinook becomes a long-term solution or is 
expanded to other application types. The improvements to the governance structure recommended in 
Risk #3 should be organized in such a way that expansion of Chinook, or significant changes, requires 
formal approval involving privacy risk analysis. Furthermore, other risks in this deliverable should be 
considered with any expansion or permanency to Chinook. 


Risk #3: There is a risk that Chinook continues to operate without a formal governance structure which 
could negatively impact necessary privacy protections. The deployment of the tool appears to have 
been adopted with the knowledge and implied approval of senior managers in IN. However, a more 
formal governance structure is lacking. As Chinook has been expanding, formalized approvals are not in 
place, especially those related to Module 5 and the. section in Module 3. The existing 
functionality and potential expansion require a more robust governance structure. 


Risk Assessment: Possible/Medium 


Recommendation: It is recommended that IRCC develop a formal governance structure to support the 
development, management, and necessary privacy protections related to Chinook. At a minimum, the 
governance structure should address the following: 


1. Generalized Approval Authority: An identified approval authority in charge of approving 
changes to Chinook, as well as ensuring other aspects are present, such as technical training, 
awareness, and privacy protections related to data files. All significant changes to Chinook, 
including the addition of other IRCC lines of business must be formally approved. 

2. n Module 3. Notwithstanding the outcome of Risk #1, the continued use and 
performance testing of these criteria should be well-documented. The continued approval of 
these criteria should be actioned periodically by a senior approval authority and must consider 
the testing results in determining whether to continue using any of the © 

3. Module 5 All future ‘indicators should be assessed through a documented and 
formal process. That process should include a requirement that e 


4. Similar to Module 5 all | . Should be assessed through a 
documented and formal process. That process should include a requirement that the creation 
and approval of | . should be formalized in governance such that it remains a section 
to identify critical triage elements. There is a risk it could result in the creation of 1— and 
not it’s current use of triage assistance. 

5. Procedures, Training and Awareness: existing material must be updated, or created, to support 
privacy protections such as data storage, purging, use, access, and disclosure. Changes appear 
to be necessary in Chinook Procedures, training, and awareness. Specific privacy awareness is 
lacking entirely. 
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Risk 84: There is a risk that Chinook' s use of Module 5 and the section of Module 3 is 
inconsistent with TBS's Directive on Automated Decision Making. 


Risk Assessment: 


Recommendation: It is recommended that IRCC determine if the use of Module 3 and Module 5 data 

and Module 5 utilize analytics in a manner wherein the TBS 
Directive on Automated Decision Making applies. As stated in this report, the consultant opines that the 
Directive does not apply; however, such a decision should be made by IRCC. 


5.2 Identifying Purposes 


Risk #5: There is a risk that WP Applications are being processed in absence of proper notice to the 
applicant that prior is used for reporting and statistical purposes and that such data may 
be used to support the processing of the individual’s application. Proper Notice/Transparency exists in 
the TRV and SP application processes, but is lacking on the WP application; Form IMM 1295. 


Risk Assessment: 


Recommendation: It is recommended that IRCC modify the Privacy Notice Statement (PNS) on Form 
IMM 1295 (paper and e-application) such that it contains the following paragraph which is found in the 
PNS on application form for TRV and SP: 


The personal information collected on an application, and other information collected in 
support of an application, may be used for computer analytics to support processing of 
applications and decision making, including your application. Personal information, 
including from computer analytics, may also be used for purposes including research, 
statistics, program and policy evaluation, internal audit, compliance, risk management, 
strategy development and reporting. 


5.3 Consent 
No risks were identified regarding this principle. 
5.4 Limiting Collection 


A potential privacy risk exists in that the self-assignment of tasks in Module 1 and the actioning of those 
in Module 3 allows some staff access to more data than they should; or more data than their user role 
allows for in GCMS. However, the consultant was assured of the following: 
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1. Access to GCMS data in Chinook does not provide any user with access to more data than it 
currently has in GCMS. All CBS and LES staff who have access to GCMS currently have access to 
all of the data elements in Module 1 and 3. 

2. ALES Program Assistant, whose role in GCMS cannot approve or refuse an application, can self- 
assign decision-maker tasks in Module 1 and record approvals or refusals in Module 3. 
However, they could not perform the application-specific or group approvals/refusals in GCMS. 


IN staff interviewed for this PRA provided verbal validation that the above factors are accurate. 
However, IN was unsure if this extended to permissions/restrictions placed on EDW data extracts which 
are stored in office 


Furthermore, 


. Therefore, this risk is not 
identified in this section. 


Risk #6: There is a risk that access to the GC Docs folder where IT Operations staff upload daily EDW 
extracts allows more access than is necessary/justified. New permissions were assigned to the 

folder in July 2019. Those new permissions are clearly an improvement to the prior 
permissions (June 2019) which allowed Full Access to a large number of staff. However, under the new 
permissions, six individuals can modify the EDW Extract data files in the folder and, potentially, have a 
negative impact on the processing of files in Chinook. Conversely, there is a need for IN staff to modify 
at the folder level to upload Module 5 indicators and | IN is exploring a permissions options which 
allow Module 5 files to be added to the folder while restricting access to the EDW extracts to read only 
and to as few users as possible. Secondly, the EDW data extracts are accessible via Read Only to the 

Access to the data extracts, even in Read Only format, should be limited to 

Chinook Experts and a small number of Chinook Administrators in IN and IT Operations. 


Also, this risk extends to the permissions assigned by local offices to the Chinook data files in each local 
In interviews for this report, the permissions/restrictions applied to in the approximately 
53 offices was unknown. 


Risk Assessment: | 


Recommendation: It is recommended that IRCC restrict access to the EDW extracts to the least number 
of staff as possible. Furthermore, it is recommended that once EDW data is extracted and stored in the 
folder for consumption by IN offices, the data files cannot be modified. 


Recommendation: Chinook Experts should be instructed that access to the EDW data extracts via the 
should be 'Read Only' and limited to the least number of people as possible. 
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5.5 Limiting Use, Disclosure and Retention 


Risk 47: There is a risk that Chinook is a System of Record (SOR) and the daily purging of data files is 
inconsistent with the retention practices of TR application data. Furthermore, IRCC must consider the 


Risk Assessment: 


Recommendation: It is recommended that IRCC consult with the Department's Information 
Management (IM) SMEs to determine if Chinook is transitory information or if it is a SOR. 


Recommendation: | 


Risk 48: There is a risk that Chinook Experts, who are responsible for purging EDW extracts on a daily 
basis, are not doing so. There has not been audit, or survey conducted, to ensure such purging is being 
performed. 


Risk Assessment 
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Recommendation: Notwithstanding the outcome of Risk #7, it is recommended that IN's awareness 
material remind Chinook Experts that their should contain only one version of each EDW data 
extract. Furthermore, IRCC should consider audits or surveys of office to ensure that instruction 
is being followed. The Chinook governance structure should formalize this awareness and audit 
capability. 


Risk 49: There is a risk that there are multiple copies of Chinook being stored by Officers/Managers in 
email accounts and local drives. Through this PRA, this risk is present in at least the following areas: 


e Officers/Managers create a list of Tasks in Module 1 and populate those Tasks into Module 3 for 
an Officer to process. The locally saved Excel document/Chinook copy is emailed to the officer 
and results in a copy of Chinook being saved on multiple local drives and email folders. 


e Officers open Chinook and saving it locally, versus opening Chinook it in Read Only, as suggested 
by Chinook support staff. 


e Module 1 can be exported to Excel, where the user will save the file locally for use in GCMS or in 
Module 2. The risk of Module 1 data is far less than other areas because the data exported to a 
separate Excel document contains very little personal information, which has minimal 
sensitivities (e.g. Application Number). 


e In Module 4, when decisions are actioned, a separate workbook is created, which is likely saved 
locally by users. 


Furthermore, in the future, as Chinook is used more, there are potential efficiencies in creating multiple 
copies of certain files. For example, if CN/OSC were to be utilized to action refusal notes/letters again 
(similar to Project Peacock), multiple versions of Chinook or Chinook data will be required; i,.e. a master 
spreadsheet will be created and emailed to OSC who will perform actions in GCMS. 


Risk Assessment:| Likely/Low 


Recommendation: It is recommended that Chinook procedures and awareness are issued to staff 
regarding the creation, retention, and destruction of Chinook versions. Focused procedures and 
awareness should be placed on the examples provided in the above risk statement. 


It is recognized that IRCC may permit the short-term and local storage of Chinook data files. Ultimately, 
it is recommended that IRCC develop requirements which limit localized versions of Chinook that are 
kept longer than necessary. Requirements and awareness should support the purging of data files so 
that hundreds or thousands of Chinook/GCMS data files are not stored throughout shared drives, email 
accounts, and localized storage devices. 


5.6 Accuracy 
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No risks were identified regarding this principle that have not already been identified in another risk; for 
example, see Risk 41. 


5.7 Safeguarding 


Risk #10: There is a risk that Module 5 ` ire not being safeguarded in accordance with 

Protected/Classified information requirements of IRCC and the Government of Canada. It is noted that 

the The criteria of Module 5 
have a similar look and feel. 


Risk Assessment: |Unlikely/High 


Recommendation: It is recommended that IN interface with the IRCC DSO and determine the 
appropriate information security designation for the Module 5 (the criteria, justification, and the 
Officer Instruction). mE m | | | 


5.8 Openness 
No risks were identified regarding this principle. 
5.9 Individual Access 


Risk #11: There is a risk that Chinook information will not be released to an individual/requester due to 
the Module 3 disclaimer, which has not been reviewed and approved by IRCC ATIP. 


Risk Assessment: 


Recommendation: It is recommended that the following portion of the Module 3 disclaimer is reviewed 
and approved by ATIP: 


5.10 Compliance 


No risks were identified regarding this principle. 
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6. MANAGEMENT RISK MITIGATION ACTION PLAN 


An Action Plan supporting the mitigation of risks identified in this PRA will be created and 
managed outside of this deliverable. 


7. SUPPLEMENTARY DOCUMENTS LIST 


1. Chinook Processing Suite One Pager (November 16, 2018) 
2. Innovation Incubator Proposal; Version 3 

3. Chinook Module 1 SOPs 

4. Chinook Decision Maker User Manual 

5. Guidelines: Chinook Module 5 — Creation of | 

6. Risk Tool 

7. E : | | 

8. Module 5 Submission Template 
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10. Common Risk Impact Scale (CRIS) 
11. Common Risk Probability Scale (CRPS) 
12. 15 Minute Risk Assessment 


Canadá 
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